Executive Summary
Cisco Talos has uncovered a sophisticated attack campaign exploiting CVE-2024-4577, a critical PHP-CGI remote code execution vulnerability, to compromise organizations in several countries. Attackers deploy Cobalt Strike beacons and use the TaoWu toolkit for post-exploitation activities, leveraging HTTP POST requests for initial access. GreyNoise telemetry indicates that this exploitation is more widespread than initially reported, affecting regions including the United States, Singapore, Indonesia, the United Kingdom, Spain, and India.
More than 1,089 unique IPs have attempted exploitation in January 2025 alone, with Germany and China contributing to 43% of attack traffic origination. Organizations with exposed PHP-CGI installations on Windows are recommended to immediately block malicious IPs, via link below, patch systems, and perform retro-hunts to detect similar exploitation attempts.
Community Impact
Attackers could utilize CVE-2024-4577 to infiltrate payment processing systems, reservation platforms, and loyalty databases, leading to data breaches, financial fraud, and operational disruptions of RH-ISAC Core Members. RH-ISAC Core Member Organizations should ingest the intelligence included in this report, the original Cisco Talos report, linked above, and review and ingest the Indicators of Compromise, included below.
Indicators of Compromise
GreyNoise has provided a small subset collection of IPs observed in this campaign, with over 2,204 observed attempting to exploit CVE-2024-4577 in the larger collection, available here. RH-ISAC Core Members are encouraged to ingest the following Indicators of Compromise below:
1[.]12[.]52[.]210
103[.]112[.]184[.]10
103[.]113[.]70[.]196
103[.]39[.]93[.]93
111[.]241[.]216[.]195
116[.]198[.]236[.]33
117[.]184[.]105[.]34
117[.]50[.]213[.]70
117[.]72[.]42[.]191
117[.]72[.]48[.]23
120[.]224[.]75[.]19
120[.]48[.]179[.]183
121[.]141[.]64[.]200
122[.]112[.]224[.]64
129[.]213[.]184[.]128
129[.]213[.]98[.]195
130[.]61[.]130[.]65
130[.]61[.]181[.]176
130[.]61[.]42[.]201
130[.]61[.]74[.]109
137[.]220[.]134[.]234
143[.]110[.]153[.]103
144[.]22[.]218[.]243
152[.]32[.]130[.]226
152[.]32[.]171[.]112
152[.]32[.]172[.]115
154[.]92[.]111[.]45
156[.]59[.]97[.]86
162[.]81[.]188[.]215
165[.]22[.]97[.]42
172[.]191[.]52[.]232
176[.]65[.]137[.]136
176[.]65[.]137[.]162
176[.]65[.]138[.]171
180[.]178[.]94[.]73
185[.]208[.]158[.]206
185[.]213[.]173[.]44
185[.]213[.]173[.]47
185[.]213[.]173[.]51
187[.]87[.]144[.]226
193[.]111[.]234[.]222
193[.]84[.]71[.]190
194[.]238[.]30[.]127
195[.]19[.]82[.]171
196[.]241[.]66[.]194
20[.]201[.]118[.]89
201[.]98[.]30[.]238
202[.]104[.]161[.]131
216[.]10[.]250[.]218
220[.]250[.]52[.]123
223[.]26[.]61[.]229
27[.]75[.]122[.]45
35[.]195[.]46[.]0
37[.]58[.]18[.]237
43[.]156[.]133[.]66
43[.]248[.]173[.]166
45[.]207[.]223[.]8
46[.]142[.]124[.]4
47[.]84[.]32[.]163
49[.]175[.]89[.]60
49[.]255[.]201[.]30
8[.]219[.]75[.]182
80[.]242[.]208[.]68
81[.]17[.]99[.]86
82[.]2[.]119[.]118
84[.]247[.]151[.]52
88[.]151[.]34[.]37
91[.]208[.]197[.]21
92[.]55[.]190[.]215
96[.]232[.]100[.]96
